Search

Subscribe

Goldman Sachs Demanding E-Mail Be Deleted

Goldman Sachs is going to court to demand that Google retroactively delete an e-mail it accidentally sent.

The breach occurred on June 23 and included "highly confidential brokerage account information," Goldman said in a complaint filed last Friday in a New York state court in Manhattan.

[...]

Goldman said the contractor meant to email her report, which contained the client data, to a "gs.com" account, but instead sent it to a similarly named, unrelated "gmail.com" account.

The bank said it has been unable to retrieve the report or get a response from the Gmail account owner. It said a member of Google's "incident response team" reported on June 26 that the email cannot be deleted without a court order.

"Emergency relief is necessary to avoid the risk of inflicting a needless and massive privacy violation upon Goldman Sachs' clients, and to avoid the risk of unnecessary reputational damage to Goldman Sachs," the bank said.

"By contrast, Google faces little more than the minor inconvenience of intercepting a single email - an email that was indisputably sent in error," it added.

EDITED TO ADD (7/7): Google deleted the unread e-mail, without waiting for a court order.

Comments

I'd hate to have to break this to them, but not only has that horse already bolted, it's had a good long career on the racing circuit and is currently living out a happy life as a stud on some farm somewhere.

I mean, they can shut the stable door all they like, but it's really quite pointless.

Not surprising that a lot of sensitive and compartmentalized data are sent over the network (intra/extra) without encryption at all considering the difficulty of using PGP or decent email encryption software.

I would have thought that a company like Goldman Sachs would have sophisticated systems in place to prevent this kind of thing.

Several of the financial companies I've worked at (investment banks and insurance companies) have systems in place to scan outgoing email for sensitive information and limit what gets through and who can send what and which recipients are allowed. These are really just whitelists, so hardly rocket science.

This looks like a pretty good business opportunity for Google and the other cloud email providers.

US$50K to initiate a search for an escaped email, and upon finding it another $50K to delete it from the servers.

While doing this they can get their "customer" to sign a contract indemnifying them and holding them harmless from any consequences stemming from the possibility that the recipient or the NSA has acted on the email, forwarded it, stored it locally, or published it, or that anybody will sue them for reading their email to find the escapee.

I don't believe how people think that kind of warning on the bottom should work. Perhaps in the USA, I don't know... but basic logic, to me, seems to indicate that if you receive the email, you are a intended recipient. Who typed you email in the "To", "Cc" or "Bcc" wanted to send the email to your address. If he was mistaken (thought that your email was from someone else, or thing link that), it's his problem...

We use a webapp called ZendTo (http://zend.to/) to exchange data between employees and contractors - instead of sending your precious data via email, it emails a link to the data, so that when you fatfinger an address (which happens to everyone eventually), and you happen to notice quickly enough, you can revoke the link.

20years ago we had rules against emailing clients with aol or hotmail address because of the risk that single wrong digit could send the email to somebody else - and goldman gets the entire domain wrong

It's reasonable to me (meaning within the law as I don't really agree with current copyright law) for the author of the email to require it "returned" - copies deleted. Despite what some suggest the recipient was not the intended party and has no rights over the email. Actually I've always assumed that's how it does work in that just like letters and other creative works the author retains their copyright in it.

But like so many point out what idiots sending it to the wrong place; personally I've been meaning to find a white list plugin for gmail to help avoid that sort of risk. It might be nice to have white lists that are mutually exclusive so it doesn't let me send things to addresses off mixed lists.

@ noonnee: I don't believe how people think that kind of warning on the bottom should work.

I once had a very bright mid-level manager try to tell me I could be prosecuted for mishandling mail that should not have been sent to me. She showed me the long warning at the bottom of their e-mails and I asked them if I had ever signed a contract agreeing to such terms? They ended up having a long meeting with the CIO and company legal team and birthed a new, much less stern e-mail warning.

Honestly, just because someone puts up a sign on the side of the street does not mean every person who drives by is legally bound to it.

Dear Goldman Sachs:
Your employee wrote confidential data on a _postcard_, wrote the wrong address on it, and handed it to a person on the street, asking them to drop it in the nearest mailbox. Said person passed it on to many other people before it finally got to the mailbox.
The USPS securely delivered the postcard to the addressee's PO Box, and now you have to get a court order to have the USPS destroy the postcard. What did you expect? They're not going to do it on your say-so; the postcard is now the recipient's property. By the way, you overlooked all the people in the chain who got it to the mailbox in the first place.
Sincerely,
The Internet

Noonnee,
When I get an email trying to impose conditions on me, I reply, stating that I reject their terms, they may not unilaterally impose a contract on me, and telling them that by sending email to any of my email addresses they are explicitly stating that I am an intended recipient and that I may do anything I want with the information in the email.

I wonder how such a company would react if I sent them a obviously misaddressed email (e.g., "Have you told your husband about your affair yet, Tammy?" to a guy named Steve) with their own disclaimer at the bottom, including the request to call such-and-such phone number. If they don't, then they obviously don't think their own disclaimer has any force. I wonder how that would affect them legally?

unnecessary reputational damage to Goldman Sachs
It seems rather necessary to me.

Rather than eradicating the reputational damage to GS they're just passing the damage on to Google. Having the reputation of deleting your emails at the behest of a third party is no way to win customer confidence. At the very least it'll just encourage folks to auto-forward their Gmail to another mailbox for safekeeping. Good business for Ifttt, Zapier and the like doing it automatically.

would this "error" have been possible if all goldman internal emails used PGP signing/encryption? If I had a company like Goldman, PGP signing would be mandatory at a minimum and client software would have shown a problem with email address.

It may be worth making the point that Goldman employees will not necessarily have serious exposure to data protection and sensitivity issues; Goldman doesn't have retail accounts and its main stock in trade is not vast reams of private individual's personal details. It is not much of a surprise that data security is more lax at an investment bank than a retail bank.

@James: Encryption maybe, signing no. You sign e-mails with your own key, regardless of the recipient. If the guy already had the PGP key for the @gs.com e-mail address in his keyring (and he knew this), then he would have likely caught his mistake when he found he couldn't send the e-mail encrypted. If he had to retrieve the key from a keyserver before sending the e-mail and the @gmail.com account also had a PGP key on the same keyserver, then potentially he could have made the same mistake, though obviously it would have been less likely.

Do not take this as an endorsement, but does anyone know if GS has copyright grounds to prevent Google from reproducing their e-mails? It would obviously be a blatant misuse of the copyright system, but I imagine that e-mails sent in error do not constitute an implicit license to reproduce the content in the same way that if I accidentally e-mail you a copy of a forthcoming album you wouldn't be able to legally publish it or even send it to anyone else.

Given our already unfortunate laws in this area, I wonder if GS could send a DMCA takedown to Google to prevent them serving the e-mail to anyone (including the accidental recipient).

Of course, if the @gmail.com e-mail owner has already retrieved the e-mail, it's kinda shutting the barn door after the horses have left anyway.

@x11
Issue is not regarding copyrights. The main problem is sending an email to the wrong person. The inbox belongs to an unintended recipient and now if they want legal action, they should go to the recipient to carry out necessary legal actions to close any leaks. I don't think copyright law would work because it's not really a copyright issue but more of a commercial secrets issue. Something close to a commercial secrets retention law should be the focus.

@Thoth: Obviously it's not conceptually a copyrights issue, but in point of fact you own the copyright to anything you write or produce, including e-mails. By the letter of the law, you could almost certainly make an argument that Google is publishing e-mails sent to its servers. Presumably sending an e-mail grants an implicit license to the recipient (Google's servers) to do this, but when you explicitly clarify that the the e-mail was sent in error, I would imagine that the implicit license is revoked and Google no longer would have license to publish the text you wrote (even to a limited audience of one person).

Considering GS to have a copyright interest in its employee's e-mail (either if their lawyers are acting as the employee's proxy or if they own the text as a work made for hire), you can imagine that the same arguments would apply there as if a courier accidentally delivered a movie script to the wrong person, i.e. they cannot legally publish it.

I would guess that it would actually come down to questions of whether Google showing the e-mail you sent to the person it's addressed to is actually considered a publication. I imagine it's possible GS could issue a DMCA takedown order and force Google to remove the e-mail from the recipient's e-mail box while the matter was settled. I doubt it would even violate the good faith clause of the DMCA.

noonnee wrote: "but basic logic, to me, seems to indicate that if you receive the email, you are a intended recipient"

If the actual recipient forwarded it to you then you did not receive it from the sender and you are not the sender's intended recipient. The wording is meant to cover that event.

Seperately,

As far as Goldman's court action, it looks like standard CYA. They could then say to the intended recipient "we (GS) did everything humanly possible, it's out of our hands, you need to go to google to get the email 'back'". As it turns out, google did 'block' the email pending the court action and GS can now say to the intended recipient "See how great we did recovering from the error". Either way, GS improved their position.

Wow. It's interesting how the sentiment in many of the above comments is that it is somehow wrong for Goldman Sachs to try to fix a mistake. What else are they supposed to do? "Oh no, our confidential data was sent to the wrong place GUESS WE'LL JUST SIT HERE AND DO NOTHING."

I mean, a couple of people get it (e.g. it was a contractor, not a GS employee; they got a court order because supposedly that's what Google told them to do; neither GS or Google is refusing to cooperate; etc.).

And then there are people who obviously only read the first line of the summary and subsequently assumed GS themselves must have screwed up due to gross incompetence (arguably by hiring that contractor?) and is now blaming Google for the error, or complaining that security and/or email doesn't work how they expect it to, or even (and I love this) suing Google for not fixing it for them.

---

I assumed Bruce's concern over this article was supposed to be what to do when your private stuff ends up in the hands of people who are known to save everything. Court order, I guess? Also fire the contractor who gave it to them.

Wow. It's interesting how the sentiment in many of the above comments is that it is somehow wrong for Goldman Sachs to try to fix a mistake. What else are they supposed to do?
Goldman Sachs is THE mistake that should be fixed, in the forgiving spirit of The Old Testament: Bankrupt, the executives left to rot in jail and the ones who beat the rap publicly murdered by Zetas (or eaten by frogs falling from the sky).

Seriously, why should this be Google's problem?
Us regular folks don't bother with encrypting emails cause it's a pain but Goldman Sachs? Their IT dept should have public key crypto set as a one click option for email. If the recipient didn't have a public key, the email should not have been sent.

@Alex: It's reasonable to me (meaning within the law as I don't really agree with current copyright law) for the author of the email to require it "returned" - copies deleted. Despite what some suggest the recipient was not the intended party and has no rights over the email. Actually I've always assumed that's how it does work in that just like letters and other creative works the author retains their copyright in it.

Alex, the law doesn't work like that. The person (call zir Alex) to whom the email was sent is the intended recipient because the law doesn't protect the sender from the sender's own mistakes. Alex doesn't have any legal or contractual relationship with GS or the contractor, and owes them no duty re confidentiality or returning the info. Legally, GS is stuck as concerns Alex. (They might have an action regarding the contractor but I doubt it. The contractor was doing proper work assigned to zir, etc., and made an honest and common mistake.)

Their best bet is to ask nicely - which I imagine they tried but, as reported, were unable to contact Alex.

Hmm, have people considered this bit of nonsense may have been leaked by GS to cover up another more embarrassing story?

For instance some ex-GS Executives (Christina Chen-Oster and Shanna Orlich) are starting a Class action by putting in front of a Manhatten federal judge a petition for and behalf GS female employees past and present who have suffered sex discrimination by the "boys school" culture pushed hard from the most senior of levels...

If you were a senior exec in GS ask yourself honestly which story you would rather have in the papers, the above some what over hyped trivial story that actually does not portray GS in that bad a light. Or the sex discrimination story that could end up costing GS vast amounts of money (it can easily be shown that female employees have been paid about a quater less wages for men doing the same job, held back on promotions as well as having suffered persistent abuse, just paying the missing wages and raise and bonus loss for the past ten years being claimed would be an eye watering sum before you even start talking about the damages on top for abuse that shows every sign of having been "standard policy" in the GS world wide opporation approved from the most senior levels...).

And if an exe for another organisation, you might well ignore the trivial story as it is unlikely to tar your organization with the same brush. But a global sex discrimination Class Action that will get publicaly very messy once in the press, would you want your organization tared with the same brush? Especialy with the stories of GS personnel hiring strippers for "full on" entertainment of client and client to be representatives... I suspect that quite a few shareholders will find such GS business morally and ethnically repugnant and will hold execs even mildly tainted by such behaviour to account.

Worse of course is the effect it could well have on ex-GS male staff that have slimed or wormed their way into Government positions, I suspect their peccadilloes will receive more than cursory investigation by the press and others, and I suspect even a little diging will turn up a veritable "bone yard" of skeletons that many would wish to keep buried permanently.

Thus I would treat many other "blown out of the water" but realy nonconsequential stories like the above about GS as little more than a PR smoke screen...

That's an interesting possibility. I find it hilarious that two former executives would sue Goldman over discrimination given its power and nature. I mean, this is one of the greediest, most corrupting, and market destroying companies in the U.S. Internally and externally. These women were a huge part of it. Makes me feel less sympathy.

In any case, I figure it's their way of squeezing some extra money out of Goldman through a settlement. They know they won't change them or beat them. Their actions might also make things more difficult for the women still there. So, pure financial and selfish motivation seems likely. That's unsurprising for ex-Goldman people.

Note: Having seen pictures of them, I'd believe the claim the guys said they were hired partly for attractiveness. Whole thing reminds me of Wolf of Wall St. ;)

...Well, no. It's embarrassing, sure. But if confidential legal details start spraying onto the web, that's *far* more damaging for them as a business.

If they can get a court order, sorry, not really seeing the issue either. There was a court order a few years back about a parcel being held at a Royal Mail office, ordering them to return it (as it was sent in error), this is no different.

I am wondering about this. They claim, of course, that it was a contractor error, but if you think about how ongoing email conversations work it could also have been a GS error, or even a not-an-error whereby GS did in fact ask for the document to be sent to that address and then realized it was making a mistake.

You also have to wonder what's in the document that would lead to reputational damage past "We're a multibillion-dollar company that can't treat our client information securely, as required by law."(What will also be interesting is seeing the filings when GS claims that this request for a court order does not amount to evidence that a violation of best practices occurred.)

@fajensen:
Granted, but my point was that trying to contain confidential data that was accidentally leaked by one of their contractors is a good thing. Do we really need to mischaracterize a good thing in order to have something to bash them about? When they already have so many terrible things to choose from?

Random gmail account is possibly not even checked by anyone first of all.
Second of all any financial report email looking like it's from GS might go into spam and remain undetected.
Third, any such email would most likely be completely disregarded as some sort of phishing attempt, or possibly just not understood at all, by a random gmail account holder (I would pay no attention to it myself, just delete).

Now, if the big bad GS lawyers and the police and justice comes knocking, then I'd want to understand and know what is so important about this email. All of a sudden it's interesting.